Behaviour of MIP even no policy exists for the zone where the IP resides

Dear All, I have little problem regarding MIP. As MIP is in Global zone. I have three interfaces.

e1/1 trust 172.16.14.253/24

e1/2 DMZ 172.16.13.254/24

e1/3 Untrust 202.125.152.253/24

I have MIP-203.135.39.183 Host-IP-172.16.16.18 This Host IP is placed behind Trust zone and route is available in ISG. Now i writre the policy from Untrust to DMZ any to MIP(203.135.39.183) any any any permit. Now i am able to access the Host IP which is in the TRUST zone when i try to access MIP 203.135.39.183. Now problem is this that there is no policy exists from Untrust to trust for MIP, even there is no policy to access MIP from Untrust to trust but i can access the the MIP-203.135.39.183 and i can see the translation in the policy log of from untrust to DMZ. it shows the destination IP 203.135.39.183 and destination translation IP 172.16.16.18. It is working fine even if there is no policy from untrust to trust for MIP, but the policy exists from Untrust to DMZ. it means we can access the MIP if policy exists for any zone except the zone where it resides.

I just want that MIP should be accessible for particular zone if there is policy exists for that zone. if there is no policy for untrust to trust for MIP then it should not be accessible from Untrust to DMZ. Is it possible for Please explain this behaviour of MIP.

Re: Behaviour of MIP even no policy exists for the zone where the IP resides

a MIP is bidirectional. So address translation is done in both directions. You define the MIP on the "outward facing" interface, normaly untrust. For the inbound policy you define a policy from untrust to destinationzone any MIP(IP) service permit log. For the outbound you define a "normal"permit policy. Address translation will be done in both direction now. If there's a third zone involved you can define a policy from thirdzone to unrust with the public addres as destination. When you connect to this IP the traffic will be passed through the MIP to the host.

Re: Behaviour of MIP even no policy exists for the zone where the IP resides

I think you didn't understand my question. Question is that if there is no policy from untrust to trust exist for MIP (IP1). and there is only one policy exist from untrust to DMZ for MIP (IP1) then why we can access the MIP whose host IP (IP1) is places in trust zone. We can also see translation in policy log from untrust to DMZ exactly same we required.

Why it is accessible from Untrust to DMZ policy while machine is reside in Trust Zone. and there is no policy from Untrust to Trust.

Re: Behaviour of MIP even no policy exists for the zone where the IP resides

Got the question now! sorry. MIP (as VIP) is somewhat strange in behaviour. The MIP is placed in global address book, visable as destination in all zones. The actual zone the traffic is sent to is based upon the hostadress in the MIP definition. So yes you can screw up your policies for the look of it and define access to MIP from untrust to DMZ while the actual host is in trust and traffic will be granted. Of course it's your responsibility as a admin to avoid this.